Client requesting group membership check

[Bob Franklin]

Hello,

We have a RADIUS server with a SQL backend running fine, authenticating 
802.1X users to our Eduroam service.

We'd like to re-use the user database for purposes other than Eduroam. 
We've got support for this in the SQL backend by it returning the status 
of different services as being group memberships for a particular user 
(e.g. a user who has Eduroam and dial-up access would be reported as being 
in those groups in the usergroup table).  This all appears to work fine.

However, because of the University's federated nature, individual colleges 
and departments may run their own RADIUS servers and proxy the requests up 
to ours (and possibly on to our proxies) for authentication and, possibly 
confirm authorisation to user a particular service.

This relationship is not static and individual RADIUS clients may wish to 
check the same user for different services at different points, so we 
can't put a static configuration along the lines of 'this client is our 
dial-up server and so we're checking for the dial-up group').  Also, we 
don't wish to return the full list of enabled services with each request 
but allow them to merely check individual services.


The way I can see to do this is allow clients to submit requests with a 
custom local attribute (e.g. 'UCam-Requested-Service').  If this attribute 
were present, we would fail the authentication if the user was not a 
member of the appropriate group (but otherwise authenticated OK).


Before I embark on doing something along these lines, am I missing a 
better way to go about things, or is there some mechanism already 
available which would achieve this?


Thanks for any help or advice,

   - Bob


-- 
  Bob Franklin <rcf34 at cam.ac.uk>              +44 1223 748479
  Network Division, University of Cambridge Computing Service